Breaking MIME concatenation

raf at raf.org raf at raf.org
Thu May 17 02:41:11 CEST 2018


Mirimir wrote:

> So the best solution would be a tweak to GnuPG that breaks HTML and
> embedded remote content. That would protect against Efail, no matter how
> email clients were configured. It'd also protect against other exploits
> that depend on fetching remote content. And it wouldn't require users to
> entirely forgo HTML and embedded remote content. Just with GnuPG.

<TongueFirmlyInCheek>

I hope that's not a suggestion that gnupg should examine the
data that it's decrypting, identify whether or not it is HTML,
identify whether or not the HTML is well-formed and complete,
and if not, append additional HTML to "complete" the incomplete
HTML.

Isn't that the same as tampering with the encrypted message? :-)

And wouldn't it need to do this even in the absence of MDC
failure? Admittedly, if there was MDC failure, the content has
already been tampered with so what harm would a little more
tampering do? :-)

And by "protect against other exploits", what did you have in
mind? Should gnupg try to identify PDF content, OLE objects in
Office documents? How much file format knowledge will gnupg need
to have stuffed into it to protect everyone from everything? :-)

</TongueFirmlyInCheek>

But I can't believe that such functionality belongs in gnupg.
Certainly not when I'm decrypting database backups.

I think it would make more sense if the email clients and addons
that use gnupg to perform email decryption performed that
addition themselves because they know to expect HTML content.

It would make even more sense for email clients not to combine
separate MIME parts naively into a single HTML document (I
wonder how many emails that would break).

It seems that nobody is expecting the email client/addon authors
to make such changes but hopefully they will.

Of course if gnupg could be changed in such a way that all email
clients were fixed automatically that would be great/efficient.
But I think the best thing gnupg can do is to suppress plaintext
output on MDC failure (as already mentioned by many) assuming
that that's even possible, but even that won't help with this
MIME part rendering issue.

cheers,
raf




More information about the Gnupg-users mailing list